Is anyone running a fortigate with a full internet routing table, over BGP?
What fortigate would handle it? And is there any documentation regarding this?
I' ve read the " maximum values matrix" for fortiOS 4 & 5:
I' m not exactly planning to do this, but it would be interesting to know.
The full table is over 450K prefix. Unless your multi-homed, I see no real reason to throw that many prefixes into a firewall or even try. If your building a network with a L3 firewalls and think you need BGP routes and full routes, your probably doing it very very wrong.
Now to look at some things, and yes we tried doing this with a FGT3610A many years back for shits and grins, and no real benefit or purpose. And the physical memory on the box was tacked, and dropping prefixes all of the time. And almost every other function stopped, or we developed some other issues.
If you want to see what will happen, look at your available memory, and then compute how much memory for each bgp prefix.
typical formula is for 1k megs of memory per 100K bgp-routes ( note bgp routes b4 the rib is update plus per peer )
your hurdle will be, the CPU processing & time processing would be extremely high and frustrating.
What that means from a BGP traffic engineer, every update/refresh for anything and all path attributes, will be process.
That' s means some thing as simple as communities additive, path length, as_path withdrawn/add,etc......
Your firewall would be consumed with CPU functions related just to BGP.
And to answer your question as to what model might handle this , A carrier grade 5K chassis. And I' m highly suspect that even those, don' t carry full BGP paths.
Well.. I think there are better boxes than the 5K' s for this :-)
Actually in the 3000-series you have devices with loads of cpu & ram, far more than the latest 5K blades. Think of 3600C.
But just as a hunch, I would expect even 1K series to pull this off. Naturally it will have a serious penalty on everything else, but it ought to be able to pull it off.
But you' re absolutely correct in saying that someone is doing something terribly wrong if they want to run full bgp table on a firewall. Should be restricted to admins laughs only :-)
Even in a multi-homed network with FW at edge, I would maybe and that' s MAYBE ask the ISP' s to advertise domestic routes + default. Then adjust weights to select preferred default and let the domestics go the fastest path.
When you said: " 1k megs of memory per 100K bgp-routes" ... thats means 1GB of memory (RAM) for each 100k routes??? So the minimum requirement for full routing table should be 5gb?
The FTG-1Kc have 8gb.
Let me clarify that some;
Take this dual-homed 7600;
cr02>show bgp sum | in otal
BGP using 86555047 total bytes of memory
cr02>show ip bgp sum
BGP router identifier x.x.x.x, local AS number 65000
BGP table version is 12615790, main routing table version 12615790
438004 network entries using 49494452 bytes of memory
437994 path entries using 21023712 bytes of memory
143938/71953 BGP path/bestpath attribute entries using 14393800 bytes of memory
61068 BGP AS-PATH entries using 1643224 bytes of memory
90 BGP community entries using 2160 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 86557348 total bytes of memory
BGP activity 1752619/1314615 prefixes, 2185932/1747938 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
38.104.xx.xx 4 174 4820942 53942 12615758 0 0 2w0d 437991
204.9.2x.xx 4 31846 151261 137928 12615758 0 0 6w5d 0
The best-practices is like 1k byes of memory for every 100K, but that' s only the 1st half of the story. The firewail is suppose to be, will a " firewall" , if you stick a full-bgp feed into a firewall, than it overlaps into what a router does.
CPU will be tagged. How' s your current CPU/MEM usage before you add a full-bgp table?
Here' s what the above cisco looks ;
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.